Find sigma rule
Attack: Event Triggered Execution: Netsh Helper DLL
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh
.
Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
MITRE
Tactic
- privilege-escalation
- persistence
technique
- T1546.007
Test : Netsh Helper DLL Registration
OS
- windows
Description:
You can register a “helper dll” with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called. The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run.
Executor
command_prompt
Sigma Rule
- proc_creation_win_netsh_helper_dll_persistence.yml (id: 56321594-9087-49d9-bf10-524fe8479452)